Double Deception: Beware of Scammers Posing as Recovery Agents

SlowMist
7 min readMar 12, 2024

--

Recently, scammers (CYBER RESCUE) have been phishing under the guise of being able to “help recover/restore stolen funds” in response to a security alert tweet from our founder, Cos. In response to this, the SlowMist security team conducted an investigation on this scammer account and disclosed their scamming process. In doing so, we hope to raise awareness among the community to avoid being deceived.

Scamming Process

We contacted CYBER RESCUE, posing as a victim. They claimed to be able to recover 100% of stolen funds.(First red flag) Here’s how it went:

1. CYBER RESCUE, first inquires about the time of the theft, the wallet used, and the cause behind the theft, and then claims they can “recover 100% the stolen funds”. This method involves using the USDT on the BNB Smart Chain to transfer the stolen funds back to the victim’s wallet. They ask the victim to download MathWallet, explaining they will guide them through the transfer process and redirect the funds to their wallet.

2. Once Downloaded, the scammer instructs the victim to click on “Add Custom Asset” on the homepage. Asking them to enter the USDT contract address 0x55d398326f99059ff775485246999027b3197955 (which is the correct address). At this point, MathWallet automatically recognizes the token precision as 18.

Next, the scammer emphasizes changing the decimals from 18 to 0 while entering the contract address. The trick here is to get the victim to adds the correct USDT contract address but incorrect decimals. Let’s quickly go over why this is cruical for the scam. Decimals refers to the number of smallest divisible units of a token, determining the precision of the token in transactions and calculations. The higher the Decimals value, the greater the precision of the token.

After following the scammer’s instructions, the scammer stated that they had freeze the stolen funds and will now return them to the victim’s account. The scammer asked for our MetaMask wallet, but we pretended we didn’t know what they were talking about. The scammer couldn’t believe the we didn’t have a MetaMask wallet.

The scammer then began their “recovery” process:

After reviewing the transaction details provided, the scammer claimed they could only recover $89,589 of the stolen funds, explaining that the remaining funds had entered the foreign exchange market and were converted into the local currency.

Next, the scammer asked us to send a screenshot of our MathWallet account, advising us to stay connected the whole time as success or failure hinged on this moment. This is to pressured the already hurt victim, who was desperate to recover their lost funds, not realizing they were about to fall into another trap.

The scammer then asked the victim to click on “Manage Wallet” and then on “Export Private Key,” guiding the victim to share their private key. They that the needed the private key to connect to the application and transfer the funds to the victim’s wallet. If the scammer’s previous actions hadn’t raised enough suspicions, the request for the private key should have been a clear red flag to run.

We shared our private key with the scammer. Soon after, the scammer announced the operation was complete and asked us to check our wallet. We found the amount of USDT in our wallet had indeed changed to the 89,589 USDT the scammer promised, but is this really what happened?

Of course not, upon checking the block explorer, it was discovered that the scammer actually transferred only 0.000000000000089589 USDT. This discrepancy occurred because the victim, under the scammer’s guidance, we had changed the decimals in their wallet for a custom token from 18 to 0. Thus, while the scammer transferred only 0.000000000000089589 USDT, the victim’s wallet displayed it as 89,589 USDT.

The scammer, having obtained the private key, then sought to scam by telling the victim they needed sufficient BNB balance to conduct transactions to other accounts, suggesting the available balance should be 10% of the initial balance on the BNB Smart Chain network. If a victim was to believed this, they would have transferred about $8,968 worth of BNB to the wallet and the scammer would steal it.

When we used a block explorer to investigate this case, it revealed that the scammer’s address (0xe27126d1c17B42Eb42783655D339a782f779BABA) was making frequent small transactions to other addresses, indicating this is an ongoing scam.

Further investigation with MistTrack showed that the transaction fees for this address were paid by Binance. MistTrack has blacklisted the address and will continue to monitor futher fund movements.

MathWallet Update

In response to this case, MathWallet promptly issued an update to disable the manual adjustment of token precision. We advise users who have installed MathWallet to update the app via the App Store or Google Play.

Conclusion

In conclusion, the blockchain’s “dark forest” is teeming with scams. In this case, scammers even posed as on-chain tracking experts to phish victims, essentially guiding them step-by-step on how to hand over their private keys. The SlowMist security team hereby reminds all users to remain vigilant. Regardless of the identity the other party claims, never give out your private key to prevent theft. If your cryptocurrency is unfortunately stolen, we will provide free community assistance service for case assessment. You only need to submit a form according to the classification guide (funds stolen/encountered scam/encountered extortion). The hacker addresses you submit will also be synchronized to the MistTrack Threat Intelligence Network for risk control.

Forms
Chinese: https://aml.slowmist.com/cn/recovery-funds.html

English: https://aml.slowmist.com/recovery-funds.html)

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist
SlowMist

Written by SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

Responses (3)